I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

to introduce you to a very cool DNS tool that has been added to the old DCDiag.exe that you no doubt have used in the past to assess a domain's health. This new version of DCDiag is available in the Windows Server 2003 SP1 support tools on Microsoft's website.

The DCDiag tool must be run on a Windows Server 2003 server or a Windows XP workstation but there can be Windows 2000 servers, DCs and clients in the domain. The example shown later in this article shows the result of this command run in a Windows 2000 domain

Introduction to DCDiag /Test:DNS

Microsoft has stated that one of the biggest call generators their support engineers face is that of misconfigured DNS environments. We aren't talking rocket science here (no deep dark secrets or unreported bugs). Just simple stuff – delegations pointing to the wrong server, TCP/IP properties of DCs not pointing to the right DNS server (perhaps a DNS server's IP address changed), or the always popular disabling of dynamic updates.

The problem, of course, is in a complex environment of many sites and DCs and a multiple domain model, with several Admins in different timezones, it gets difficult to keep track of changes. In order to help their support engineers as well as customers, Microsoft developed a very powerful option to the DCDiag.exe tool that has the ability to test the entire environment and report on the DNS "health" of each DNS server in every domain in the forest. Besides providing detailed information on every error related to DNS configuration, it includes a summary at the end that is a simple table listing the DNS servers and the various tests, with a Pass, Fail, or Warn in each field. This gives you a quick snapshot of the health of the entire DNS structure, along with sufficient error detail to allow you to resolve the problems.

Command Syntax

Let's look at the command syntax. The command is:

DCdiag /Test:DNS

The options are:

/v verbose /e all DCs in the forest /a all DCs in a site /s:
(focuses on a single DC)
/f:
(pipe to a log file)
/ferr:

There are six (6) basic tests that can be run separately or together. You can specify individual tests to run:

If you don't specify any switch, it will run all tests except the DnsResolveExtName test.

In my experience to this point with this tool, I've always run all the tests. It may make sense if you narrow the problem down to a forwarder on one server, to create a command to specify the /S: switch with the DC name and just run the forwarder test, but I've never used it.

Here is a sample output from a pretty broken domain. (the names have been changed for security reasons). The command we used is simple:

Dcdiag /test:DNS /v /e /f:dnstest.txt

Note: You can also use >dnstest.txt rather than the /f: option if you prefer.

Let's start with the summary. This will be the last thing done and will appear at the end of the file:

Auth

Basc

Forw

Del

Dyn

RReg

Ext

Domain: NA.company.com

NA-DC1

PASS

WARN

FAIL

PASS

PASS

PASS

n/a

NA-DC2

PASS

PASS

FAIL

PASS

PASS

PASS

n/a

NA-DC8

PASS

FAIL

n/a

n/a

n/a

n/a

n/a

NA-DC9

PASS

WARN

FAIL

PASS

PASS

PASS

n/a

NA-DC12

PASS

PASS

FAIL

PASS

PASS

PASS

n/a

NA-DC14

PASS

WARN

FAIL

PASS

PASS

PASS

n/a

NA-DC15

PASS

WARN

n/a

n/a

n/a

PASS

n/a

NA-DC19

PASS

WARN

n/a

n/a

n/a

FAIL

n/a

NA-DC21

FAIL

FAIL

n/a

n/a

n/a

n/a

n/a

Domain: SA.Company.com

SA-DC1

PASS

FAIL

n/a

n/a

n/a

n/a

n/a

SA-DC2

PASS

FAIL

n/a

n/a

n/a

n/a

n/a

SA-DC3

PASS

FAIL

n/a

n/a

n/a

n/a

n/a

SA-DC4

PASS

FAIL

n/a

n/a

n/a

n/a

n/a

Domain: company.com

Com-DC3

PASS

PASS

FAIL

PASS

WARN

PASS

n/a

Com-DC5

PASS

PASS

FAIL

PASS

WARN

PASS

n/a

Com-DC6

PASS

WARN

FAIL

PASS

WARN

PASS

n/a

Com-DC7

PASS

WARN

FAIL

PASS

WARN

PASS

n/a

Discussion Points

One very cool thing about the summary that is actually a by-product of the command, is that it lays out the entire domain structure (lists all the domains) and all the DCs in each domain. I'm not aware of a faster way of getting this information, so even if that's all you use it for, I think it has great value.

In this example we see that there are three domains – company.com, NA.company.com and SA.company.com, and we see all the DCs associated with each domain. The tests, in order from left to right are Authentication, Basic (connectivity), Forwarders, Delegation, Dynamic Updates enabled, Resource Record Registration, and External Name test. Further we can see there are a LOT of Warn and Fail reports. Note that there are some N/A entries in the table. They are listed for every server for the External Name test since it is not run by default. The N/A entry normally means that the test is dependant on a previous component being available, and the test is not run since the dependency would cause it to fail.

Note that NA-DC21 and all the DCs in the SA domain report PASS on the Authentication test but FAIL on the BASIC (connectivity) test. Thus the other tests are not run and flagged with the n/a status.

Resolving the Errors

The actual output in this example is several pages long due to the errors. However some sample errors are shown here. If we focus on NA-DC1, for example we see it fails the forwarder test and gets a warning on the Basic Connectivity test. Looking in the results earlier in the report we see:

(Note that we have only included the Authentication, Basic and Forwarder tests, but you can see how these are the details for the entries in the summary table we saw previously. Where the table gave Warn, Pass, Fail, this part includes the details.)

So in these tests we see nice details like the IP address and that it is static. In addition there are two network adapters, and the DNS server for one of them is using the loopback address which can't be resolved. There is a DNS server address specified for the second adapter that is invalid (thus the warning).

Further, in the forwarders test, we can see recursion is enabled (not necessary since we are using forwarders). We also see the cause of the Fail status. Both forwarders are reported as "Invalid". Looking at the summary we see that every DC is getting the Fail status on the forwarders test. Obviously the two IP addresses used for forwarders are not valid (likely the server's IP address changed and it was not updated in DNS).

With this kind of detail, we can work our way through the table - DC by DC - then re-running the DCDiag /test:DNS tool until everything passes. It should be obvious that this is much faster and more efficient than combing event logs on 50 DCs.

Join the conversation

1 comment

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.